Recent efforts by browsers urge administrators to update SSL security on websites. This includes a big push to upgrade legacy SHA-1 certificates to SHA-256. Staying up-to-date is critical for ongoing data security issues and keeping online trust.
The Chrome browser led the way in how browsers are choosing to handle SHA-1 Certificates, and customers and users on some sites secured by DigiCert have reported that they are getting an error that reads, “This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."
The problem is related to a locally installed legacy intermediate certificate that is no longer used or required for the certificate installation. The problem can affect any client platform with a locally cached or installed intermediate certificate.
The certificate in question is the “DigiCert High Assurance EV Root CA” certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices. This certificate is unnecessary for installations.
One of the reasons this error will appear is if there is a cross-signed SHA-1 intermediate certificate in your certificate chain.
To determine where the error is occurring, use DigiCert SSL Installation Diagnostic Tool. Type in the name of your server and click “Check Server.” If a cross-signed intermediate certificate shows up in the certificate chain then the problem is on the server side. If there is no intermediate certificate in the chain, then the problem is on the browser side. To fix the error on the browser, side click here.
How to Remove the Cross-signed Intermediate Certificate for Windows How to Remove the Cross-signed Intermediate Certificate for Apache and Nginx
To fix the error, you need to remove the cross-signed intermediate certificate so it does not bridge over to another Certificate Authority’s root certificate.
These instructions were created on Windows Server 2012. You may need to modify these instructions depending on which version of the operating system you are using.
Edit the SSLCertificateChainFile /path/to/DigiCertCA.crt directive to include only one certificate.
Edit the ssl_certificate /etc/ssl/your_domain_name.pem; to include only the server certificate and its issuing intermediate certificate.
All recent installations of certificates issued by DigiCert include the most up-to-date intermediates in order to establish trust with browsers.
If you have problems on other operating systems, please contact support so we can get additional details and update our documentation for other users to resolve the cached intermediate error.
If you need assistance with this or any other issues, our Support Team is always happy to help.